Share and Enjoy

The con that is Notacon is upon us. Notacon is one of the best con’s I have ever attended! It’s a great mix of hacking, security, art, technology and everything in between. It’s also small enough to network with others…oh, and its in Cleveland which means its affordable! Things get started tonight with a free preview beginning at 7pm! Some of the speakers will be giving previews of their talks so go check it out if you can.

The point that Robin, myself and others were trying to make way back in April was that this is a real threat and the bad guys have probably started to use Twitter for C2 even before Robin put out the code! We were hoping that by releasing the code Twitter (and others) would see this as perhaps an early warning of things to come and perhaps prepare some defense for it (yes, we know it’s hard to put a defense together for something like this). Now that we have a confirmed case used for malicious purposes we hope Twitter takes this seriously and can combat future C2 channels used for very bad things. It always takes something bad to happen to create change…where have you heard that before?

Share and Enjoy

I’m back from Notacon 6 that took place in Cleveland over the weekend and finally have some time to get a post up. All I have to say is…wow. What a great con! This was my first Notacon (yeah, I live in Cleveland…sad I know) and I was totally impressed! There was a great line up of speakers, really fun events and a kick ass game room. The game room was really cool. They had everything from a fully loaded NES and Commodore 64 for your retro gaming fix as well as Rock Band and Guitar Hero. Speaking of Rock Band…myself, Chris, Jack, and Jane entered into the Rock Band competition as the “Notabots”. We won the highest score competition and walked away with over a case and a half of Bawls energy drink, a few books and a sweet retro floppy disk clock. If you know me at all…the energy drink was the best prize ever!

Just like most other smaller con’s the best part is still the great networking opportunities. One talk that was really outstanding was the talk by James “Myrcurial” Arlen titled “From a Black Hat to a Black Suit – The Econopocalypse Now Edition”. His talk is honestly one that anyone wanting to advance their career in Information Security should see. One thing I took away from his talk was that those of us in Information Security should never forget to mentor others, especially those in an entry level position. Remember, we were all the new guy just getting our feet wet at some point…having a mentor is invaluable to the learning process especially in the beginning of your career. In addition, James is a great guy and is someone who has pretty much “seen it all” when it comes to the corporate world.

Details on the Social Network Bots Open Source Project
I created a SourceForge project for all the development for the bot army I am looking to create (joke). Basically I’m looking for others interested in developing bots for social networks to join up on the team and contribute code to the project. I have already talked to some of you at Notacon and there looks like a few of you would like to work on N0tab0t version 1.1 which might be…well interesting to say the least! You can check out the project on socialnetworkbots.com. We are looking for any kind of social network bot…not just Twitter bots. If you want to join in, post something on the project forum or send me an email.

Stay tuned. Lots of more social media security research goodness coming soon! Thanks for sticking around for the ride!

Share and Enjoy

It’s time to gear up for Notacon 6 which starts for me on Thursday night at 7pm. I will be at the preview night giving a short overview of my presentation on Saturday “Rise of the Autobots: Into the Underground of Social Network Bots”. I have been busy tuning and making some last minute updates to the presentation. Some of these last minute updates include some code that myself and a few others have been working on as well as the announcement of a new open source project. What would a con be without a release of some code right? This is exciting stuff that I’m looking forward to talking about in my presentation. It all goes down at 5pm in the East Ballroom on Saturday.

Shortly after my talk on Saturday I will have my presentation posted as well as links to the code being released and links to the new project I will be talking about. Stay tuned to this blog for those details over the weekend.

At Notacon I will also be participating in Notacon Radio with the other co-hosts of the Security Justice podcast. Follow Security Justice on Twitter for details on when we will be live. We should be doing some interviews with some of the speakers as well. If you are at the con, stop by and say Hi!

Some other events at Notacon…there is a Security Twits meetup taking place on Thursday organized by @geekgrrl. If you plan on going you need to RSVP via DM to her like yesterday…I’ll be there as well as a few others from Twitter.

I also posted a list of recommended Notacon speakers and events on the Security Justice web site you can check out here so I won’t regurgitate the speakers that I will be going to see. Anyway, I should be live tweeting as I usually do at conferences so be sure to follow me for Notacon updates.

Lastly…this has been a crazy 2-3 months for me. Lots of changes going on with things I have been involved with and projects I have been working on. With all of this activity it has left little time for the blog but I will be getting back into regular posting once things slow down a little so thanks for sticking around. I am still amazed that this whole social media/networking security research has really taken off for me. I must have found a niche! I still have a focus on pentesting (mostly for my job) but it’s cool to see how other interests evolve and morph into greater things. Such is life right?

How do you know that last friend request or Twitter follower was an actual live human being? The truth is…you don’t! Bot’s and bot manufactures have become rampant in social networks such as MySpace, Facebook and Twitter exploiting the trust relationships that make social media work. Why are bots taking control of social networks? It’s simple. Social networks are the fastest growing phenomenon of our time. For example, Facebook alone recently reached 150 million potential targets for spammers, malware authors, and other undesirables in 2008. Social networks are only getting bigger and bots will be part of this trend.

This presentation will take you on a journey into the thriving bot underground where bots are manufactured for every purpose imaginable. We will talk about good bots, bad bots, *really* evil bots, how to identify bots, terminating bots and the future possibility of social network botnets to rule them all.

This talk is the result of many months of research that I have been doing on this subject. Here are three things from my research as a teaser for my talk:

1. You will find it fascinating that bots are a huge part of social networks. Bots are not only used by the bad guys but legitimate users as well.

2. There will be discussion on why spammers are targeting social networks and how most of this bot activity falls under the guise of “Blackhat SEO“. I have been finding that there is a thin line between what constitutes “Blackhat” vs. “Whitehat” and that line will continue to blur. You will be amazed (as I was) with the business and money making model(s) that spammers and malware authors use. There is a ton of money being made from using these techniques and tools! Want an idea how much? Check out Jeremiah Grossman’s recent presentation on Blackhat SEO…you might want to quit your day job.

3. How do you use bots to create accounts? What are the most popular tools available? How about just buying hacked/bot created accounts in bulk then use these tools to SPAM friends lists? Also, as a tie in to the tools that are used we will talk about why CAPTCHA’s and other controls are not working. Finally, don’t forget about the new frontier of botnets and social networks…this is an untapped area thats only going to get more interesting.

So, if you are coming to Notacon 6 (April 16th-19th) hopefully you can stop by. I promise, my talk will be entertaining! Stay tuned to this blog…after the talk I plan on releasing detailed articles on some of the specific topics from the talk.

What is Notacon?
Notacon is one of the most unique conferences you will ever attend! Notacon 6 is April 16th – 19th 2009 held in Cleveland, Ohio. Notacon explores and showcases technologies, philosophy and creativity often overlooked at many “hacker cons”. Registration is open!

Share and Enjoy

Subscribe

My last Tweet

Find me on Facebook

Disclaimer

This is a personal weblog. The opinions expressed here represent my own and not those of my employer.